The correct answer is: - It applies new permissions provided in the CoA to the client session.
CoA, or Change of Authorization, is a feature of the RADIUS protocol that allows a RADIUS server to dynamically update the attributes of an existing session. In this case, Cisco ISE is the RADIUS server and the NAD is the device that is authenticating the user. After the user logs in successfully using CWA, Cisco ISE sends a CoA to the NAD with new permissions for the user. The NAD then applies these new permissions to the user's session.
The other options are incorrect:
It terminates the client session. This is not the purpose of a CoA. A CoA is used to update the attributes of an existing session, not to terminate it.
It applies the downloadable ACL provided in the CoA. This is not the only thing that a CoA can do. A CoA can also be used to update other attributes of an existing session, such as the user's IP address or VLAN.
It triggers the NAD to reauthenticate the client. This is not the purpose of a CoA. A CoA is used to update the attributes of an existing session, not to force the client to reauthenticate.
CoA does not provide any new permissions. It simply instructs the NAD to do one of the following - disconnect a user’s session, bounce the port (perform a shut/no-shut), or even tell the device to reauthenticate the user. The new permissions will then be applied by the results of the authorization profile
Wrong!
"Cisco ISE sends a CoA to the NAD with new permissions for the user" - this is NOT TRUE, ISE sends CoA just to trigger REAUTHENTICATION, so NAD sends a NEW authentication request (RADIUS Access-Request) to the ISE with same session ID. ISE then evaluates the Authorization Policy and new session parameters (dACL, VLAN, etc...) are sent as a result of new authorization to the NAD (you can match second authorization by GuestFlow flag on ISE).
Correct is C) - CoA triggers the NAD to reauthenticate.
SISE ebook:
“Centralized Web Authentication uses a web portal that is hosted on ISE to receive the user’s credentials. The authenticator sends a MAB request to ISE, and ISE responds with a RADIUS Access-Accept and a URL redirection, and often a dACL limits the access to the network. After the credentials are received through the web portal, ISE sends a Change of Authorization (CoA) to the authenticator, causing REAUTHENTICATION. The reauthentication maintains the same session ID, and ISE is able to tie the user’s credentials to the MAB request and send the final authorization results for the end user.”
-
(continuation in comment)
However, SISE ebook is a little bit misleading in the CoA terminology on some places (probably due to brevity, the author not always details the particular CoA steps and just writes the result of CoA) – one example for all in CWA/BYOD section:
“Step 9. The CoA from Phase 1 applies an ACL that permits traffic to the Google Play Store (the NSP-ACL ACL).” page 529
– BUT, there is detailed schema for this part (Figure 16-67), where we can clearly see, that ISE in fact sends Reauth CoA to the NAD, which triggers NEW RADIUS AUTHENTICATION (Access-Request) and AFTER Authorization policy is evaluated (again), ISE sends above mentioned NSP-ACL ACL to the NAD. So CoA was just trigger to reauthentication.
Another way how to find out what ISE really does when it sends CoA - look at Live Log:
SISE ebook:
"Live Log always includes some blank lines in the identity column, as shown in Figure 21-15. These blanks indicate Change of Authorization (CoA) events." (page 774)
- As you open CoA log entry, you can see RADIUS parameters inside CoA, which ISE sent to NAD (there is just CiscoAVpair = subscriber:command = reauthenticate + session ID).
ciscopress book page 313:
Step 5. ISE sends a reauthentication Change of Authorization (CoA-reauth) to the
switch. This causes the switch to send a new MAB request with the same
SessionID to ISE, and it is processed.
Step 6. ISE sends the final authorization result to the switch for the end user.
it is obviously said that ISE sends the "FINAL AUTHORIZATION RESULT" which means same as new permissions provided in D choice.
"switch to send a new MAB request" = NEW AUTHORIZATION => i. e. new evalution of Authorization Policy and new authorization result. CoA is just trigger. Final authorization result is delivered upon request, which CoA triggers.
https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html
On the WLC this can be seen in AAA all debugs.
*radiusCoASupportTransportThread: audit session ID recieved in CoA = 0a6a207a0000000b5fe90410
*radiusCoASupportTransportThread: Received a 'CoA-Request' from 10.106.32.25 port 23974
*radiusCoASupportTransportThread: CoA - Received IP Address : 10.106.32.122, Vlan ID: (received 0)
*radiusCoASupportTransportThread: d0:37:45:89:ef:64 Calling-Station-Id ---> d0:37:45:89:ef:64
*radiusCoASupportTransportThread: Handling a valid 'CoA-Request' regarding station d0:37:45:89:ef:64
*radiusCoASupportTransportThread: Sending Radius CoA Response packet on srcPort: 1700, dpPort: 2, tx Port: 23974
*radiusCoASupportTransportThread: Sent a 'CoA-Ack' to 10.106.32.25 (port:23974)
After this the client is reauthenticated and granted access to the network.
This flow includes several redirections. The new approach is to use CWA. The flow includes these steps:
The user associates to the web authentication SSID, which is in fact open. No Layer 2 and layer 3 security, only Mac Filtering enabled.
The user opens the browser.
The WLC redirects to the guest portal.
The user authenticates on the portal.
The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) to indicate to the controller that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).
The user is prompted to retry the original URL.
See SISE 200-715 Official Cert Guide, pg 313
Step 5 ISE sends an authentication Change of Authorization (CoA-Reauth) to the switch. This causes the switch to send a new MAB request with the same SessionID to ISE and it is processed.
This new MAB Request is a ReAuthentication request.
B- I dont see anything in the official guide that says the new MAB request of a ReAuth. new MAB request responds with the access permissions
Upon successful authentication, Cisco ISE sends the authorization profile that is associated with the authenticated user in the form of a CoA request to the NAD.
The NAD applies the received new authorization settings and then sends a new MAB request to the PSN, using the same session ID from the previous request.
The PSN matches the new MAB request to an authenticated guest authorization policy and responds with the access permissions defined in that policy (full access in the figure).
In the context of CWA, which is what the question is asking, B seems like the best answer. From the CWA with ISE and WLC guide: The ISE sends a RADIUS Change of Authorization (CoA - UDP Port 1700) to indicate to the controller that the user is valid, and eventually pushes RADIUS attributes such as the Access Control List (ACL).
https://www.cisco.com/c/en/us/td/docs/routers/cloud_edge/c8300/software_config/cat8300swcfg-xe-17-book/m-chng-of-auth.html
Change of Authorization (CoA) provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is authenticated.
Identity-Based Networking Services supports change of authorization (CoA) commands for session query, reauthentication, and termination, port bounce and port shutdown, and service template activation and deactivation.
Chapter 12 cisco ccnp book:
10. Which of the following statements most accurately describes the use of Change of
Authorization (CoA) in relation to CWA?
a. The CoA-Reauth causes the NAD to reauthenticate the endpoint within the same
session, and ISE is then able to tie together the MAB and CWA authentications.
b. The CoA sends a Packet of Disconnect (PoD) to the NAD, which starts a new session
based on the web credentials.
c. The CoA-Reauth causes the NAD to reauthenticate the endpoint, which starts a
new session based on the web credentials.
d. The CoA sends a PoD to the NAD, and ISE is able to tie the original MAB session
to the new Web Authentication session by correlating the MAC addresses from
both authentication sessions.
Answer:
10. a. Explanation: The CoA is a key function. Specifically, it is a CoA-Reauth and causes
a switch to reauthenticate the endpoint without starting a new session. The switch
sends another MAB request to ISE, which is able to tie the guest authentication from
the centralized portal to the MAB request from the switch and assign the appropriate
ISE sent a CoA in order to re-authenticate the client.
upvoted 3 times
...
This section is not available anymore. Please use the main Exam Page.300-715 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
denverfly
Highly Voted 1 year, 4 months agoRashford10
2 months, 2 weeks agoNikoTomas
7 months, 4 weeks agomatan24
Highly Voted 1 year, 6 months agoNikoTomas
Most Recent 7 months, 4 weeks agoNikoTomas
7 months, 4 weeks agoNikoTomas
7 months, 4 weeks agofaridh
1 year, 2 months agofaridh
1 year, 2 months agoNikoTomas
7 months, 4 weeks agojohndelorien
1 year, 4 months agoVlad_Is_Love_ua
1 year, 6 months agoCnoteone
1 year, 7 months agotliz
1 year, 8 months agorhylos
1 year, 5 months agoRuss
1 year, 10 months agoiceise
1 year, 11 months agoiceise
1 year, 11 months agoismine9
2 years agoawhamm
2 years agoshonda319
2 years, 1 month ago